Attackers spoofed the Ukrainian Computer Emergency Response Team (CERT‑UA) address in a massive phishing blast that reached more than one million inboxes. The email contained a seemingly innocuous Office document; when the macro was enabled, it silently installed the AGEWHEEZE Remote Access Trojan, establishing persistent command‑and‑control channels on the victim’s system.

The RAT provides full remote control, credential harvesting, and lateral‑movement capabilities, dramatically increasing the attack surface across organizations that opened the document. Defenders must prioritize validation of sender domains (DMARC, SPF, DKIM), block macro execution in Office files, and hunt for known AGEWHEEZE indicators of compromise such as its file hashes and C2 infrastructure to stop the campaign before it spreads further.